Rebuild for CVE-2022-{24675,28327,29526 in golang}

No need to issue a build just for this.

.gitignore

@@ -27,3 +27,4 @@
 /toolbox-0.0.99.2^1.git9820550c82bb.tar.xz
 /toolbox-0.0.99.2^2.git40fbd377ed0b.tar.xz
 /toolbox-0.0.99.2^3.git075b9a8d2779.tar.xz
+/toolbox-0.0.99.3.tar.xz

gating.yaml

@@ -0,0 +1,9 @@
+--- !Policy
+product_versions:
+  - fedora-*
+decision_contexts:
+  - bodhi_update_push_stable
+  - bodhi_update_push_testing
+subject_type: koji_build
+rules:
+  - !PassingTestCaseRule {test_case_name: fedora-ci.koji-build.tier0.functional}

sources

@@ -1 +1 @@
-SHA512 (toolbox-0.0.99.2^3.git075b9a8d2779.tar.xz) = e9ebb306fa3fe72dede4d08e1428dbfde12fe44274b4ea7cd356cba28a90daff728c4182f13e20f8a05603aeefb4cf484611805dac2776ab38c37764e6069c5d
+SHA512 (toolbox-0.0.99.3.tar.xz) = d9e4bd1cc7667b6ecdcf25a2c3ad7d7d67cc997168a41e668c936d2de24db774331a78a1b4a06b63e7cef8e0dc4ac5651591b6d9cec0d8e81be2b2dd64854dca

tests/roles/nonroot_user/tasks/main.yml

@@ -0,0 +1,7 @@
+---
+- name: create nonroot user
+  user:
+    name: testuser
+    shell: /bin/bash
+- name: enable linger
+  command: loginctl enable-linger testuser

tests/roles/run_bats_tests/files/run_bats_tests.sh

@@ -0,0 +1,72 @@
+#!/bin/bash
+#
+# Run bats tests for a given $TEST_PACKAGE, e.g. buildah, podman
+#
+# This is invoked by the 'run_bats_tests' role; we assume that
+# the package foo has a foo-tests subpackage which provides the
+# directory /usr/share/foo/test/system, containing one or more .bats
+# test files.
+#
+
+export PATH=/usr/local/bin:/usr/sbin:/usr/bin
+
+FULL_LOG=/tmp/test.debug.log
+BATS_LOG=/tmp/test.bats.log
+rm -f $FULL_LOG $BATS_LOG
+touch $FULL_LOG $BATS_LOG
+
+exec &> $FULL_LOG
+
+# Log program versions
+echo "Packages:"
+rpm -q ${TEST_PACKAGE} ${TEST_PACKAGE}-tests
+
+echo "------------------------------"
+printenv | sort
+
+testdir=/usr/share/${TEST_PACKAGE}/test/system
+
+if ! cd $testdir; then
+    echo "FAIL ${TEST_NAME} : cd $testdir"      >> /tmp/test.log
+    exit 0
+fi
+
+if [ -e /tmp/helper.sh ]; then
+    echo "------------------------------"
+    echo ". /tmp/helper.sh"
+    . /tmp/helper.sh
+fi
+
+if [ "$(type -t setup)" = "function" ]; then
+    echo "------------------------------"
+    echo "\$ setup"
+    setup
+    if [ $? -ne 0 ]; then
+        echo "FAIL ${TEST_NAME} : setup"       >> /tmp/test.log
+        exit 0
+    fi
+fi
+
+echo "------------------------------"
+echo "\$ bats ."
+bats . &> $BATS_LOG
+rc=$?
+
+echo "------------------------------"
+echo "bats completed with status $rc"
+
+status=PASS
+if [ $rc -ne 0 ]; then
+    status=FAIL
+fi
+
+echo "${status} ${TEST_NAME}" >> /tmp/test.log
+
+if [ "$(type -t teardown)" = "function" ]; then
+    echo "------------------------------"
+    echo "\$ teardown"
+    teardown
+fi
+
+# FIXME: for CI purposes, always exit 0. This allows subsequent tests.
+exit 0

tests/roles/run_bats_tests/tasks/main.yml

@@ -0,0 +1,37 @@
+---
+# Create empty results file, world-writable
+- name: initialize test.log file
+  copy: dest=/tmp/test.log content='' force=yes mode=0666
+
+- name: execute tests
+  include: run_one_test.yml
+  with_items: "{{ tests }}"
+  loop_control:
+    loop_var: test
+
+- name: pull test.log results
+  fetch:
+    src: "/tmp/test.log"
+    dest: "{{ artifacts }}/test.log"
+    flat: yes
+
+# Copied from standard-test-basic
+- name: check results
+  shell: grep "^FAIL" /tmp/test.log
+  register: test_fails
+  # Never fail at this step. Just store result of tests.
+  failed_when: False
+
+- name: preserve results
+  set_fact:
+    role_result_failed: "{{ (test_fails.stdout|d|length > 0) or (test_fails.stderr|d|length > 0) }}"
+    role_result_msg: "{{ test_fails.stdout|d('tests failed.') }}"
+
+- name: display results
+  vars:
+    msg: |
+       Tests failed: {{ role_result_failed|d('Undefined') }}
+       Tests msg: {{ role_result_msg|d('None') }}
+  debug:
+    msg: "{{ msg.split('\n') }}"
+  failed_when: "role_result_failed|bool"

tests/roles/run_bats_tests/tasks/run_one_test.yml

@@ -0,0 +1,52 @@
+---
+- name: "{{ test.name }} | install test packages"
+  dnf: name="{{ test.package }}-tests" state=installed
+
+- name: "{{ test.name }} | define helper variables"
+  set_fact:
+    test_name_oneword: "{{ test.name | replace(' ','-') }}"
+
+# UGH. This is necessary because our caller sets some environment variables
+# and we need to set a few more based on other caller variables; then we
+# need to combine the two dicts when running the test. This seems to be
+# the only way to do it in ansible.
+- name: "{{ test.name }} | define local environment"
+  set_fact:
+    local_environment:
+      TEST_NAME:    "{{ test.name }}"
+      TEST_PACKAGE: "{{ test.package }}"
+      TEST_ENV:     "{{ test.environment }}"
+
+- name: "{{ test.name }} | setup/teardown helper | see if exists"
+  local_action: stat path={{ role_path }}/files/helper.{{ test_name_oneword }}.sh
+  register: helper
+
+- name: "{{ test.name }} | setup/teardown helper | install"
+  copy: src=helper.{{ test_name_oneword }}.sh dest=/tmp/helper.sh
+  when: helper.stat.exists
+
+- name: "{{ test.name }} | run test"
+  script: ./run_bats_tests.sh
+  args:
+    chdir: /usr/share/{{ test.package }}/test/system
+  become: "{{ true if test.become is defined else false }}"
+  become_user: testuser
+  environment: "{{ local_environment | combine(test.environment) }}"
+
+- name: "{{ test.name }} | pull logs"
+  fetch:
+    src: "/tmp/test.{{ item }}.log"
+    dest: "{{ artifacts }}/test.{{ test_name_oneword }}.{{ item }}.log"
+    flat: yes
+  with_items:
+    - bats
+    - debug
+
+- name: "{{ test.name }} | remove remote logs and helpers"
+  file:
+    dest=/tmp/{{ item }}
+    state=absent
+  with_items:
+    - test.bats.log
+    - test.debug.log
+    - helper.sh

tests/tests.yml

@@ -0,0 +1,15 @@
+---
+- hosts: localhost
+  tags:  classic
+  vars:
+  - artifacts: ./artifacts
+  roles:
+  - role: nonroot_user
+  - role: run_bats_tests
+    tests:
+    - name:    toolbox
+      package: toolbox
+      environment:
+        PODMAN: /usr/bin/podman
+      become:  true
+      

toolbox-Make-the-build-flags-match-Fedora-s-gobuild-for-PPC64.patch

@@ -1,4 +1,4 @@
-From 5ec9997c0f11bb9d1f7eee2e5014130cadc70c91 Mon Sep 17 00:00:00 2001
+From 32aa30a17358598f568991a5375f6182e4135648 Mon Sep 17 00:00:00 2001
 From: Debarshi Ray <rishi@fedoraproject.org>
 Date: Mon, 29 Jun 2020 17:57:47 +0200
 Subject: [PATCH] build: Make the build flags match Fedora's %{gobuild} for
@@ -20,20 +20,43 @@ Note that these flags are only meant for the "ppc64" CPU architecture,
 and should be kept updated to match Fedora's Go guidelines. Use
 'rpm --eval "%{gobuild}"' to expand the %{gobuild} macro.
 ---
- src/go-build-wrapper | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
+ src/go-build-wrapper | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
 
 diff --git a/src/go-build-wrapper b/src/go-build-wrapper
-index 0d27120da052..03a32bc5af33 100755
+index ef4aafc8b024..f8ea8370792c 100755
 --- a/src/go-build-wrapper
 +++ b/src/go-build-wrapper
-@@ -27,5 +27,6 @@ if ! cd "$1"; then
+@@ -32,9 +32,9 @@ if ! cd "$1"; then
      exit 1
  fi
  
--go build -trimpath -ldflags "-extldflags '-Wl,--wrap,pthread_sigmask $4' -linkmode external -X github.com/containers/toolbox/pkg/version.currentVersion=$3" -o "$2/toolbox"
+-tags=""
++tags="-tags rpm_crashtraceback,${BUILDTAGS:-}"
+ if $6; then
+-    tags="-tags migration_path_for_coreos_toolbox"
++    tags="$tags,migration_path_for_coreos_toolbox"
+ fi
+ 
+ if ! libc_dir=$("$4" --print-file-name=libc.so); then
+@@ -69,11 +69,16 @@ fi
+ 
+ dynamic_linker="/run/host$dynamic_linker_canonical_dirname/$dynamic_linker_basename"
+ 
 +unset LDFLAGS
-+go build -compiler gc -tags="rpm_crashtraceback ${BUILDTAGS:-}" -ldflags "${LDFLAGS:-} -B 0x$(head -c20 /dev/urandom|od -An -tx1|tr -d ' \n') -compressdwarf=false -extldflags '-Wl,-z,relro -Wl,--as-needed  -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -Wl,--wrap,pthread_sigmask $4' -linkmode external -X github.com/containers/toolbox/pkg/version.currentVersion=$3" -a -v -x -o "$2/toolbox"
++
+ # shellcheck disable=SC2086
+ go build \
++        -compiler gc \
+         $tags \
+-        -trimpath \
+-        -ldflags "-extldflags '-Wl,-dynamic-linker,$dynamic_linker -Wl,-rpath,/run/host$libc_dir_canonical_dirname' -linkmode external -X github.com/containers/toolbox/pkg/version.currentVersion=$3" \
++        -ldflags "${LDFLAGS:-} -B 0x$(head -c20 /dev/urandom|od -An -tx1|tr -d ' \n') -compressdwarf=false -extldflags '-Wl,-z,relro -Wl,--as-needed -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -Wl,-dynamic-linker,$dynamic_linker -Wl,-rpath,/run/host$libc_dir_canonical_dirname' -linkmode external -X github.com/containers/toolbox/pkg/version.currentVersion=$3" \
++        -a \
++        -v \
++        -x \
+         -o "$2/toolbox"
+ 
  exit "$?"
 -- 
 2.31.1

toolbox-Make-the-build-flags-match-Fedora-s-gobuild.patch

@@ -1,4 +1,4 @@
-From 64c8066535dacbe37abc35485347c59df553bfbb Mon Sep 17 00:00:00 2001
+From 6d913f1fbd6e609957bb01273504b2f479e1b546 Mon Sep 17 00:00:00 2001
 From: Debarshi Ray <rishi@fedoraproject.org>
 Date: Mon, 29 Jun 2020 17:57:47 +0200
 Subject: [PATCH] build: Make the build flags match Fedora's %{gobuild}
@@ -19,20 +19,44 @@ Note that these flags are meant for every CPU architecture other than
 PPC64, and should be kept updated to match Fedora's Go guidelines. Use
 'rpm --eval "%{gobuild}"' to expand the %{gobuild} macro.
 ---
- src/go-build-wrapper | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
+ src/go-build-wrapper | 14 ++++++++++----
+ 1 file changed, 10 insertions(+), 4 deletions(-)
 
 diff --git a/src/go-build-wrapper b/src/go-build-wrapper
-index 0d27120da052..4793d29a7021 100755
+index ef4aafc8b024..4354beceb215 100755
 --- a/src/go-build-wrapper
 +++ b/src/go-build-wrapper
-@@ -27,5 +27,6 @@ if ! cd "$1"; then
+@@ -32,9 +32,9 @@ if ! cd "$1"; then
      exit 1
  fi
  
--go build -trimpath -ldflags "-extldflags '-Wl,--wrap,pthread_sigmask $4' -linkmode external -X github.com/containers/toolbox/pkg/version.currentVersion=$3" -o "$2/toolbox"
+-tags=""
++tags="-tags rpm_crashtraceback,${BUILDTAGS:-}"
+ if $6; then
+-    tags="-tags migration_path_for_coreos_toolbox"
++    tags="$tags,migration_path_for_coreos_toolbox"
+ fi
+ 
+ if ! libc_dir=$("$4" --print-file-name=libc.so); then
+@@ -69,11 +69,17 @@ fi
+ 
+ dynamic_linker="/run/host$dynamic_linker_canonical_dirname/$dynamic_linker_basename"
+ 
 +unset LDFLAGS
-+go build -buildmode pie -compiler gc -tags="rpm_crashtraceback ${BUILDTAGS:-}" -ldflags "${LDFLAGS:-} -B 0x$(head -c20 /dev/urandom|od -An -tx1|tr -d ' \n') -compressdwarf=false -extldflags '-Wl,-z,relro -Wl,--as-needed  -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -Wl,--wrap,pthread_sigmask $4' -linkmode external -X github.com/containers/toolbox/pkg/version.currentVersion=$3" -a -v -x -o "$2/toolbox"
++
+ # shellcheck disable=SC2086
+ go build \
++        -buildmode pie \
++        -compiler gc \
+         $tags \
+-        -trimpath \
+-        -ldflags "-extldflags '-Wl,-dynamic-linker,$dynamic_linker -Wl,-rpath,/run/host$libc_dir_canonical_dirname' -linkmode external -X github.com/containers/toolbox/pkg/version.currentVersion=$3" \
++        -ldflags "${LDFLAGS:-} -B 0x$(head -c20 /dev/urandom|od -An -tx1|tr -d ' \n') -compressdwarf=false -extldflags '-Wl,-z,relro -Wl,--as-needed -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -Wl,-dynamic-linker,$dynamic_linker -Wl,-rpath,/run/host$libc_dir_canonical_dirname' -linkmode external -X github.com/containers/toolbox/pkg/version.currentVersion=$3" \
++        -a \
++        -v \
++        -x \
+         -o "$2/toolbox"
+ 
  exit "$?"
 -- 
 2.31.1

toolbox-cmd-root-Work-around-Cobra-1.1.2-s-handling-of-usage.patch

@@ -0,0 +1,95 @@
+From e598e2160323b63310ad7b6def723eb1f8767f90 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ond=C5=99ej=20M=C3=ADchal?= <harrymichal@seznam.cz>
+Date: Thu, 11 Nov 2021 18:18:52 +0200
+Subject: [PATCH 02/13] cmd/root: Work around Cobra 1.1.2's handling of usage
+ functions
+
+In version 1.1.2 of Cobra has been included a change[0] that changes
+how custom usage functions are handled.
+
+Example of the wrong behaviour:
+$ toolbox --foo
+Error: unknown flag: --foo
+Run 'toolbox --help' for usage.Error: Run 'toolbox --help' for usage.
+
+Desired behaviour:
+$ toolbox --foo
+Error: unknown flag: --foo
+Run 'toolbox --help' for usage.
+
+A workaround is to define a template string for the usage instead. The
+template uses the templating language of Go[1]. See the default
+template string in version 1.2.1[2].
+
+Because the template is set only once, the executableBase needs to be
+set before the template is applied. That required the move of
+setUpGlobals() into init() of the cmd package. This is a better place
+for the function call as init() is called earlier than Execute()[3].
+
+Upstream issue: https://github.com/spf13/cobra/issues/1532
+
+[0] https://github.com/spf13/cobra/pull/1044
+[1] https://pkg.go.dev/text/template
+[2] https://github.com/spf13/cobra/blob/v1.2.1/command.go#L491
+[3] https://golang.org/doc/effective_go#init
+
+https://github.com/containers/toolbox/pull/917
+---
+ src/cmd/root.go | 20 ++++++++------------
+ 1 file changed, 8 insertions(+), 12 deletions(-)
+
+diff --git a/src/cmd/root.go b/src/cmd/root.go
+index eb0622f..ad0753b 100644
+--- a/src/cmd/root.go
++++ b/src/cmd/root.go
+@@ -62,11 +62,6 @@ var (
+ )
+ 
+ func Execute() {
+-	if err := setUpGlobals(); err != nil {
+-		fmt.Fprintf(os.Stderr, "Error: %s\n", err)
+-		os.Exit(1)
+-	}
+-
+ 	if err := rootCmd.Execute(); err != nil {
+ 		os.Exit(1)
+ 	}
+@@ -75,6 +70,11 @@ func Execute() {
+ }
+ 
+ func init() {
++	if err := setUpGlobals(); err != nil {
++		fmt.Fprintf(os.Stderr, "Error: %s\n", err)
++		os.Exit(1)
++	}
++
+ 	persistentFlags := rootCmd.PersistentFlags()
+ 
+ 	persistentFlags.BoolVarP(&rootFlags.assumeYes,
+@@ -96,7 +96,9 @@ func init() {
+ 	persistentFlags.CountVarP(&rootFlags.verbose, "verbose", "v", "Set log-level to 'debug'")
+ 
+ 	rootCmd.SetHelpFunc(rootHelp)
+-	rootCmd.SetUsageFunc(rootUsage)
++
++	usageTemplate := fmt.Sprintf("Run '%s --help' for usage.", executableBase)
++	rootCmd.SetUsageTemplate(usageTemplate)
+ }
+ 
+ func preRun(cmd *cobra.Command, args []string) error {
+@@ -188,12 +190,6 @@ func rootRun(cmd *cobra.Command, args []string) error {
+ 	return rootRunImpl(cmd, args)
+ }
+ 
+-func rootUsage(cmd *cobra.Command) error {
+-	err := fmt.Errorf("Run '%s --help' for usage.", executableBase)
+-	fmt.Fprintf(os.Stderr, "%s", err)
+-	return err
+-}
+-
+ func migrate() error {
+ 	logrus.Debug("Migrating to newer Podman")
+ 
+-- 
+2.34.1
+

toolbox.spec

@@ -1,23 +1,23 @@
+%global __brp_check_rpaths %{nil}
+
 Name:          toolbox
-Version:       0.0.99.2^3.git075b9a8d2779
+Version:       0.0.99.3
 
 %global goipath github.com/containers/%{name}
 %gometa
 
-Release:       1%{?dist}
+Release:       4%{?dist}
 Summary:       Tool for containerized command line environments on Linux
 
 License:       ASL 2.0
-URL:           https://github.com/containers/%{name}
-
-# https://github.com/containers/%%{name}/releases/download/%%{version}/%%{name}-%%{version}.tar.xz
-# Snapshot tarball
-Source0:       %{name}-%{version}.tar.xz
+URL:           https://containertoolbx.org/
+Source0:       https://github.com/containers/%{name}/releases/download/%{version}/%{name}-%{version}.tar.xz
 
 # Fedora specific
 Patch100:      toolbox-Don-t-use-Go-s-semantic-import-versioning.patch
 Patch101:      toolbox-Make-the-build-flags-match-Fedora-s-gobuild.patch
 Patch102:      toolbox-Make-the-build-flags-match-Fedora-s-gobuild-for-PPC64.patch
+Patch103:      toolbox-cmd-root-Work-around-Cobra-1.1.2-s-handling-of-usage.patch
 
 BuildRequires: ShellCheck
 BuildRequires: golang >= 1.13
@@ -33,10 +33,11 @@ BuildRequires: golang(github.com/sirupsen/logrus) >= 1.4.2
 # BuildRequires: golang(github.com/stretchr/testify) >= 1.7.0
 BuildRequires: golang(github.com/spf13/cobra) >= 0.0.5
 BuildRequires: golang(golang.org/x/sys/unix)
-BuildRequires: meson
+BuildRequires: meson >= 0.58.0
 BuildRequires: pkgconfig(bash-completion)
 BuildRequires: systemd
 
+Requires:      containers-common
 Requires:      flatpak-session-helper
 Requires:      podman >= 1.4.0
 
@@ -54,6 +55,7 @@ Summary:       Required packages for the container image to support %{name}
 # These are really required to make the image work with toolbox
 Requires:      passwd
 Requires:      shadow-utils
+Requires:      util-linux
 Requires:      vte-profile
 
 %description   support
@@ -90,7 +92,6 @@ Requires:      less
 Requires:      lsof
 Requires:      man-db
 Requires:      man-pages
-Requires:      mlocate
 Requires:      mtr
 Requires:      nano-default-editor
 Requires:      nss-mdns
@@ -144,6 +145,8 @@ The %{name}-tests package contains system tests for %{name}.
 %patch102 -p1
 %endif
 
+%patch103 -p1
+
 %gomkdir
 
 
@@ -185,6 +188,29 @@ ln -s src/pkg pkg
 
 
 %changelog
+* Sat Jul 09 2022 Maxwell G <gotmax@e.email> - 0.0.99.3-4
+- Rebuild for CVE-2022-{24675,28327,29526 in golang}
+
+* Sat Jul 09 2022 Maxwell G <gotmax@e.email> - 0.0.99.3-3
+- Rebuild for CVE-2022-{24675,28327,29526} in golang
+
+* Sun Jan 09 2022 Ondřej Míchal <harrymichal@fedoraproject.org> - 0.0.99.3-2
+- Add upstream patch fixing doubled error messages
+
+* Fri Dec 10 2021 Debarshi Ray <rishi@fedoraproject.org> - 0.0.99.3-1
+- Update to 0.0.99.3
+- Update the URL to point to the website
+
+* Mon Oct 25 2021 Debarshi Ray <rishi@fedoraproject.org> - 0.0.99.2^3.git075b9a8d2779-4
+- Restore backwards compatibility with existing containers
+
+* Fri Oct 22 2021 Debarshi Ray <rishi@fedoraproject.org> - 0.0.99.2^3.git075b9a8d2779-3
+- Ensure that binaries are run against their build-time ABI
+- Require containers-common for ownership of %%{_sysconfdir}/containers
+
+* Wed Aug 25 2021 Oliver Gutiérrez <ogutierrez@fedoraproject.org> - 0.0.99.2^3.git075b9a8d2779-2
+- Rebuilt for gating check
+
 * Mon Aug 09 2021 Oliver Gutiérrez <ogutierrez@fedoraproject.org> - 0.0.99.2^3.git075b9a8d2779-1
 - Updated to 0.0.99.2^3.git075b9a8d2779 snapshot